MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+...
-
Upload
belinda-anthony -
Category
Documents
-
view
222 -
download
2
Transcript of MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+...
![Page 1: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/1.jpg)
MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, [email protected] http://es-es.net
http://es-es.net/
![Page 2: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/2.jpg)
In attending this session you agree that any software demonstrated comes absolutely with NO WARRANTY. Use entirely at your own risk. Ernest or Eric, & the other 3rd party vendors whose software is demonstrated as part of this session are not responsible for any subsequent loss or damage whatsoever!
Legal advice– I am not a lawyer for legal advice please seek a trained lawyer in the field you have a question.
![Page 3: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/3.jpg)
ETHERNET ISSUES
Network and System Access– Unauthorized Join– Unauthorized Expansion of the
Network– VLAN Join– VLAN Tagging– Spoofing and Address Capture
Traffic Confidentiality– Passive Eavesdropping– Active Eavesdropping
Traffic Integrity– ARP Poisoning and Rogue DHCP
Server– Man in the Middle– Session Hijacking– Replay
Availability of Service– Denial of Service– Switch Control
RELATED ISSUES
Using Network as a Medium– Network Scanning– Break-Ins– Topology Discovery Protocols– Redundancy and Aggregation
Protocols Other Security Related
Issues– Configuration and Installation
Issues– Implementation Issues– Issues with Legacy Technology– Architectural Issues– Freely available Software for
Attacks and Exploits
![Page 4: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/4.jpg)
A switch learns the MAC address/port pairings and stores them in limited memory Easy to generate bogus frames and get the memory to owerflow
If a MAC address is unknown the switch broadcasts it out of all its ports
Makes eavesdropping possible Spanning Tree Protocol is used to define the
logical topology for an Ethernet segment Any host can claim to be the STP root and direct large parts of traffic to go through itself
Man in the Middle attack (MitM) STP can also be used for Denial of Service (DoS)
![Page 5: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/5.jpg)
DHCP poisoningA new host on LAN broadcasts a request for IP and router information
Any host can pretend to be the DHCP server and tell that it is the router
Enables a Man in the Middle attackARP poisoning
Any host on LAN can broadcast a gratuitous ARP message claiming to have any IP address (including the router) at its MAC address
ARP poisoning can be used to hijack an ongoing session
![Page 6: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/6.jpg)
Frames can hop from one Virtual LAN to another with "double tagging" VLANs supposedly bring security
VLAN management protocols enable all kinds of attacks
Frame padding and MAC table timeouts leak information With persistance the attacker can passively wait for HTTP
cookies All attacks can be (and are being) made to software
Ettercap for MitM, http://ettercap.sourceforge.net/ Sniffers for eavesdropping: Wireshark, ngrep, tcpdump, snoop
Packet crafting tools: packETH, Bit-Twist, Mausezahn, Hping, Nemesis, Scapy, Yersinia, THC Parasite, macof
Packetsquare for capture, edit and replay
![Page 7: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/7.jpg)
Access Control and Node Authentication– Physical Protection of the
Network– Segmentation and VLANs– Access Control Lists– Authentication based Access
Control– IEEE 802.1X
– Network Access Control Network Integrity
Protection– Securing ARP
– Port Security– Control and Management Plane
Overload Protection (CoPP)– Control and Management Plane
Logical Protection– STP BPDU and root guard
– Deep Packet Inspection– Proper Configuration
Traffic (Payload) Integrity and Confidentiality Protection– Traffic Encryption and
Integrity Verification– IEEE 802.1AE MACsec
– Replay Protection Intrusion Detection and
Prevention Systems Hiding or Obfuscating
Network Topology Future solutions
– Automated Key Management Policies
– Cryptographically generated addresses
– Removing ARP broadcasts– OpenFlow or DHT/TRILL
![Page 8: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/8.jpg)
IEEE has no architectural solutions, except VLAN
802.1X adds authentication, does not protect from misuse Authenticated entities may misbehave
802.1AE MACsec adds confidentiality (encryption) Based on 802.1X authentication Not end to end, but host to switch
802.1X and MACsec require administration activities per node Software installation, identity management High cost, little flexibility
![Page 9: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/9.jpg)
Vendor solutions can make Ethernet fairly secure, but require configuration
Configuring each switch with knowledge of topology Port Security, Root Guard, BPDU Guard... Effectively these are ACLs with fancy names
to separate user and control (and management) planes
Good administration practices Knowledge of vendor-specific quirks of
the switches
![Page 10: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/10.jpg)
Ethernet architecture is flawed from security point of view It is a nice and simple LAN architecture But it is "fail open" by design
▪ If you don't know how to handle a frame, send it to everybody
▪ Trusting everybody is implicit Vendor solutions require active
management Mainly to tell the switches the topology (trunk ports
and leaf node ports) Potential new solutions
Deduct topology information automatically (low management overhead) then use Intrusion Prevention Systems and ACLs to protect the network
Get rid of ARP and broadcasts (with e.g. DHT-Trill)
![Page 11: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/11.jpg)
1. SHARED, UNCONTROLLED MEDIA: Invisible & Airborne Threats are Hard To Control vs.
Wired Network 2. SELF-DEPLOYING & TRANSIENT NETWORKS
Simplicity of Self Discovery Create Security Challenges Mobile Nature of Wireless LAN Devices and Users
Require In-depth Forensics capability to Address Security Breaches
3. USER INDIFFERENCE Invisible Connectivity & True Distributed Nature Gives a
Faulty Sense of Security 4. EASIER TO ATTACK
Lax WLAN Security is the Lowest Hanging Fruit for Hackers
Dozens of Tools Readily Available to Exploit these Holes
![Page 12: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/12.jpg)
From a System management terminal, someone could: Add non-dedicated machines for administration Install new programs and new vulnerabilities Forget to update the management application when
updating other LMR machines Remote into the management application from outside
the LMR network Connect LMR to existing management functions
Protect, Detect, Respond Physically secure the management terminals Ensure system managers are authenticated Ensure appropriate privileges for users Update patches and manage administrator terminals
![Page 13: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/13.jpg)
With the Radios, someone could: Use a radio purchased from eBay Steal an existing radio from storage Send invalid data packets from the radio and
terminals Infect the radios with viruses What else could be done?
Protect, Detect, Respond Ensure subscribers are authorized and authenticated Ensure that alerts are generated when unauthorized
radios attempt to access the system Implement firewalls and Router Access Control Lists
to ensure only valid packets are passed Close unnecessary ports and protocols
![Page 14: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/14.jpg)
Network Edge blurred – another access into your mission critical network
Rogues, hackers, mis-configured devices
Organized crime – hacking for profit Interfacing with other systems Access control Combination of public and private
network connectivity Multiple agency access
![Page 15: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/15.jpg)
OPEN AP‟S Let‟s all play nice
COOKIE SESSION IDS SSL login, and then?
EDIT COOKIES Sniff and edit
FERRET AND HAMSTER http://erratasec.blogspot.com/sidejacking.zip
![Page 16: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/16.jpg)
DHCP Attack Exploit attacks a client and loads creates a Admin User
on device DHCP Broadcast Attack (MS06-036) http://www.milw0rm.com/sploits/07212006-
MS06_036_DHCP_Client.tar.gz
DNS ATTACK/MANIPULATION Can offer anything to you and you believe it Sites: Banking, Hotel, Airlines, Work (Exchange, Oracle,
SQL)
TORNADO Web-based attack tool which exploits up to 14 browser
vulnerabilities and installs malware on the user's system
![Page 17: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/17.jpg)
YOUR NOTEBOOK IS: 1. Not location-
aware Office Home Hotspot
2. Wants to always connect to something
![Page 18: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/18.jpg)
![Page 19: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/19.jpg)
Virtual Local Area Networks A logical grouping of devices or users Users can be grouped by function,
department, application, regardless of physical segment location
VLAN configuration is done at the switch (Layer 2)
VLAN's are not security! They are obscurity, they are great forsegmentation and traffic management
![Page 20: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/20.jpg)
Static VLAN Assignment- Port based membership: Membership is determined by the port on the switch on not by the host.
Dynamic VLAN Assignment- Membership is determined by the host’s MAC address. Administrator has to
create a database with MAC addresses and VLAN mappings
![Page 21: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/21.jpg)
• VLANS cannot communicate with each other even when they exist on the same switch
• For VLANS to communicate they must pass through a router
• Each VLAN is required to have at least one gateway to route packets in and out of the network
![Page 22: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/22.jpg)
Trunking allows us to cascade multiple switches using the trunk ports to interconnect them
Trunk ports act as a dedicated path for each VLAN between switches
The trunk port is a member of all configured VLANs
![Page 23: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/23.jpg)
These attacks are designed to allow the attacker to bypass the Layer 3 device
The attack takes advantage of incorrectly configured trunk ports on network switches
![Page 24: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/24.jpg)
Basic VLAN Hopping Attack1. Attacker fools switch into thinking that he is a switch that needs trunking2. The attack needs a trunking favorable
setting such as Auto to succeed 3. The attacker is now a member of all
trunked VLANs on the switch and he send and receive data on those VLANs
![Page 25: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/25.jpg)
Double Encapsulated VLAN Hopping Attack1. Switches perform only one level of IEEE
802.1q decapsulation 2. This allows the attacker to specify a .1q
tag inside the frame, allowing the frame to go to a VLAN that the outer tag did specify.
3. This attack works even if Trunk ports are set to OFF
![Page 26: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/26.jpg)
Use dedicated VPAN for all trunk ports. Avoid using VLAN 1. Deploy port security. Set users ports to non trunking. Use ARP security options. Use BPDU guard, Root guard. Use PVLANs. Disable CDP. Disable unused ports and put them in an unused vlan. Ensure DHCP attack prevention.
26
![Page 27: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/27.jpg)
![Page 28: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/28.jpg)
Listed in Lab manual starting on Page 11 MiniPwner Here is a list of some of the software that comes
installed: Nmap network scanner Tcpdump sniffer Netcat Hacker’s swiss army knife aircrack Wireless network analysis kismet Wireless network analysis perl Perl Scripting Language openvpn VPN Client and Server dsniff suite of sniffing and spoofing tools, including arpspoof nbtscan NetBIOS Network Scanner snort Sniffer, Packet Logger, Intrusion Detection System samba2-client Windows File Sharing Client elinks Text Based Web Browser yafc FTP Client openssh-sftp-client Secure File Transfer Client
![Page 29: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/29.jpg)
Fully loaded. Wireless, 3G/GSM, & NAC/802.1x bypass!Includes 3G, Wireless, & USB-Ethernet adaptersFully-automated NAC/802.1x/RADIUS bypass!Out-of-band SSH access over 3G/GSM cell networks!One-click Evil AP, stealth mode, & passive reconMaintains persistent, covert, encrypted SSH access to your target network Tunnels through application-aware firewalls & IPSSupports HTTP proxies, SSH-VPN, & OpenVPN
![Page 30: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/30.jpg)
Analyze riskrisk = (cost of an exploit)*(likelihood it will occur)
Mobile devices make this inexpensive and very possible (BeetleJuice) inside of “Flame”
Demos:Bypass DLP
(Safepod)ANTIFaceNifWIFI Kill
![Page 31: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/31.jpg)
• Inherent trust. “It’s MY PHONE.”• Portability is a benefit and a risk
• Controls if lost• Lock/Erase? Implications of erasing
personal data• PIN security – secure or easy to do 1 handed• What is resident in memory?
• Malware – whole new breed of malware and products
• Malicious apps• Increasing• How do you write secure apps?
• Social engineering providers – value of OOB communication
• Where did my app come from ? What is a trusted source?
![Page 32: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/32.jpg)
![Page 33: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/33.jpg)
Username: rootPassword: toorstartx
![Page 34: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/34.jpg)
Tools organized by category in the typical order of a penetration test.
Main collection of tools by category
![Page 35: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/35.jpg)
Sweet and Simple ICMP: Ping
Fping- quickly check an IP range.
Not very reliable; many servers and firewalls can turn off ICMP replies.
![Page 36: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/36.jpg)
TCP and UDP- More than ICMP Replies
Nping TCP UDP IP ranges
Many others for Internal and External▪ Applications> Backtrack> Information
Gathering> Network Analysis> Identify Live Hosts
![Page 37: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/37.jpg)
Nping --tcp –p 8080 66.110.218.68
![Page 38: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/38.jpg)
Linux: tracerouteWin: tracert
Seeing hops and routers in between.Zenmap
The all-in-one GUI for nmap Hop and routing maps Save findings for later Extremely easy
![Page 39: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/39.jpg)
“doors” on the system where info is sent out from and received
When a server app is running on a port, it listens for packets
When there is nothing listening on a port, the port is closed
TCP/IP Stack 65,536 TCP Ports
![Page 40: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/40.jpg)
Open – port has an application listening on it, and is accepting packets.
Closed – port is accessible by nmap, but no application is listening on it.
Filtered – nmap can’t figure out if the port is open or closed because the packets are being filtered. (firewall)
Unfiltered – Ports are accessible, but nmap can’t figure out if it is open/closed.
![Page 41: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/41.jpg)
Any port can be configured to run any service. But major services stick to defaults
Popular TCP ports/services: 80 – HTTP (web server) 23 – Telnet 443 – HTTPS (ssl-encrypted web servers) 21 – FTP 22 – SSH (shell access) 25 – SMTP (send email) 110 – POP3 (email retreival)ecure shell,
replacement for Telnet)
![Page 42: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/42.jpg)
445 – Microsoft –DS (SMB communication w/ MS Windows Services
139 – NetBIOS-SSN (communication w/ MS Windows
services – 143 – IMAP (email retreival) – 53 – Domain (DNS) – 3306 – MYSQL (database)
![Page 43: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/43.jpg)
Nmap ("Network Mapper") is a great tool that we have in both the portable apps and in BT
Extremely powerful.
Simple use:Nmap –v –A‘v’ for verbosity and ‘A’ for OS/version
Detection
![Page 44: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/44.jpg)
Scan one target or a range
Built-in profiles or make your own for personal ease.
![Page 45: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/45.jpg)
Visual Map Hop Distance Router
InformationGroup Hosts by
Service
Using a quite traceroute
![Page 46: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/46.jpg)
Here are some IPs open to be scanned. Be careful! 66.110.218.68 66.110.220.87 Hackerinstitute.net 66.110.218.106 moodle.gcasda.org
Just in case 192.168.2.254 192.168.2.240
![Page 47: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/47.jpg)
![Page 48: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/48.jpg)
Host name to IP lookup:nslookup www.es-es.net
Reverse lookup:nslookup 74.208.95.36
![Page 49: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/49.jpg)
dig [domain] any
dig es-es.net any
The ‘any’ switch is used to show all DNS entries.
![Page 50: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/50.jpg)
Just a few record types cribbed from: http://en.wikipedia.org/wiki/List_of_DNS_record_types
Code Number Defining RFC Description
A 1 RFC 1035 address record
AAAA28 RFC 3596 IPv6 address
record
MX 15 RFC 1035 mail exchange record
CNAME 5 RFC 1035 Canonical name record
PTR 12 RFC 1035 pointer record
AXFR 252 RFC 1035 Full Zone Transfer
![Page 51: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/51.jpg)
http://serversniff.net/subdomains.phphttp://serversniff.net/nsreport.php gcasda.orghttp://serversniff.net/content.php?do=httprobots
http://whois.domaintools.com/
Tools on Thumb DriveDNS Lookup good DIG tool(GUI) http://nscan.org/dig.html
Nirsoft’s http://www.nirsoft.net/utils/whois_this_domain.html
http://www.nirsoft.net/utils/ipnetinfo.html
![Page 52: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/52.jpg)
Using Wireshark and taking advantage of unencrypted traffic. Telnet Session Website logins SNMP capture
![Page 53: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/53.jpg)
Wlan0 needs to be in monitor mode
![Page 54: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/54.jpg)
List the available capture interfaces.
![Page 55: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/55.jpg)
Choose an interface…
![Page 56: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/56.jpg)
ip.src==[ip_address_of_target]Filter by protocol
telnet ssh http, etc.
and This is used to link multiple filters
together
![Page 57: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/57.jpg)
Everything is unencrypted over telnet; every character typed is sent as an individual packet.
Wireshark can follow and piece together the packet stream for us.
This will allow us to see the password in clear text.
![Page 58: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/58.jpg)
Here is the unencrypted login page^Set wireshark to filter and display HTTP onlyWe are now looking for an interesting URL.POST requests can be full of information.
![Page 59: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/59.jpg)
Web login for the procurve 2524Captured login packets, found
encoded password hash.Hash looked base64, and used Cain
to decode it:
![Page 60: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/60.jpg)
The same password from the telnet session
![Page 61: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/61.jpg)
Sniff SNMPv1 or SNMPv2c clear text
You'd be a fool not to sniff traffic and look for UDP 161 just in case some SNMP traffic leaks to client or servers you control
Also, try community string guessing/dictionary attacking against SNMPv1, v2c, or v3
![Page 62: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/62.jpg)
Onesixtyone by Solar Eclipse Speedy –Sends lots of requests in parallel, not
waiting for responses Doesn't stop on success –enumerates all valid
community strings for a device Good for large-scale iteration through network
address space dict.txt includes 49 common strings Free at www.phreedom.org/solar/onesixtyone/
Free Metasploit module: auxiliary/scanner/snmp/community Nice, flexible RHOSTS options (range, list, file, IPv6,
etc.) Stops once it gets a success on a given target
(maybe just Read) Includes snmp.txt file with 119 common strings
![Page 63: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/63.jpg)
If you achieve SNMP Read/Write access, you own the device We can download running or startup
configuration for detailed analysis Crack the passwords for it and use them on
other network devices Cisco enable passwords are typically stored
using salted MD5, easily cracked using John or oclHashcat
We could dump CDP, ARP cache, and routing table for target enumeration
We could reconfigure the device to allow all sorts of access, such as telnet, ssh, http, or https
![Page 64: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/64.jpg)
/pentest/enumeration/snmpOnesixtyone
Can dictionary attack SNMP community names
With names we can enumerate.
onesixtyone –c dict.txt 192.168.2.240
![Page 65: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/65.jpg)
Both snmpcheck and snmpenum are good, but they have their pros and cons.
We will use snmpcheck today. ./snmpcheck-1.8.pl -t 192.168.2.240 -c
admin -v 2 We have the admin community from the
attack with onesixtyone. Or with the –w option we can check or
write access and see if we can reconfigure the switch
![Page 66: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/66.jpg)
Cell Communication has been hacked it is not secure Defcon Demos
Email pop smtp sent in clear text. If you lose the device it is not stored in a secure environment. Running wireshark to sniff account at coffee shopSeveral mobile apps have poor security including some bank apps that store username and password on the device in clear text i.e. Citibank PayPal had the app state that if the SSL cert was bad allow it anyway Local device storage issues SSD tends to move the app around on the deice Good uses an encrypted container to store email in “secure” environment
![Page 67: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/67.jpg)
Can they get into your VM or fake the caller ID http://www.telespoof.com/freecall/agi http://www.spoofcard.com/
http://www.telespoof.com/freecall/agi www.spoofcard.com http://www.slydial.com/apps.php
![Page 68: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/68.jpg)
From the cell tower to back you is unencrypted. Rogue Apps Live malware foundHow will you updated Over the air or tethered What about Bring your own Device Jailbreakme.com it is so easy to jailbreak / Rooting a devicePublish standards of what you will or will not supportPoorly codded apps that limit password length complexity, and allow paste Running Wireshark from a mobile device
![Page 69: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/69.jpg)
Mobile Management tools available from several 3rd party Vendors : more info on es-es.net AirWatch, Good Technology, MobileIron, Sybase, and Zenprise
Most offer remote wipe of Corporate APPS and email. Some have antimalware and filtering options
Read the list of permissions that app requests before you install it Does that list make sense? For instance, does a game really need to be able to send premium text messages or access your contact list?
![Page 70: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/70.jpg)
Metagoofilhttp://www.edge-security.com/metagoofil.php
Exploit DB Google Dorkshttp://www.exploit-db.com/google-dorks/
Online Google Hacking Toolhttp://www.secapps.com/a/ghdb
SiteDiggerhttp://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx
Goolaghttp://goolag.org
![Page 71: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/71.jpg)
RobTexWhile the interface is a bit weird in my opinion, this is a great site for doing reverse DNS look-ups on IPs, grabbing Whois contacts, and finding other general information about an IP or domain name.http://www.robtex.com
ServerSniffThis one is sort of an odd ball. Lots of sites offer Whois info, this one goes for more exotic tools. You really have to just play with it to find all of its features. It’s sometimes hard to remember which option is where. Just some of the tools are: ICMP & TCP traceroutes, SSL Info, DNS reports and Hostnames on a shared IP. It’s nice to have them do some of the recon for you if you don’t want to use a proxy and don’t wish for your IP to show up in the target’s logs. http://serversniff.net
![Page 72: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/72.jpg)
Check if your email address has been ownedhttp://beta.serversniff.de/compromised.php
![Page 73: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/73.jpg)
Portable apps Angry IP Scanner Wireless keyviewZenmap will do more after lunchAttack_Surface_Analyzer_BETA_x64WsccGoogle Hacking Diggity Project -- SearchDiggity.Client Google and Bing “hacking” Creepy FreeScreenRecord– HoffmanUtilitySpotlight2009_04 -- Rich Copy great copying
![Page 74: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/74.jpg)
From the portable apps we will do an angry IP scanner on our local network to see what ports are open and if we can get into them.
TCPViewSuffering from a slow connection? You get the feeling that something's bogging down your WiFi or Ethernet adapter? TCPView (also a part of Sysinternals and available via WSCC) is your chance to figure out which process is costing you how much bandwidth and deal with this connection hog. Simply launch TCPView and sort all processes by clicking the "Sent Packages/Bytes" or "Rcvd Packages/Bytes" header to get the top bandwidth hogs.
![Page 75: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/75.jpg)
Sign up for BrowserCheck Business EditionEnsure all browsers and plug-ins used within your organization areup-to-date with the latest security patchesBrowserCheck Business Edition:Provides you with a unique URL to give to users inside your companyAllows your users to scans their browsers and plug-ins for security issuesHelps you track the state of browser security in your organization over timehttp://www.qualys.com/forms/browsercheck-business-edition/
![Page 76: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/76.jpg)
![Page 77: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/77.jpg)
Vulnerabilities:–OWASP (http://www.owasp.org)–SANS Top 20 (www.sans.org/top20) –National Vulnerability Database (http://nvd.nist.gov)–cgisecurity (http//www.cgisecurity.com)
Guidance:–National Institute of Standards and Technology (NIST) Computer Security Resource Center (http://csrc.nist.gov/publications/nistpubs/)–Center for Internet Security (CIS) (http://www.cisecurity.org/)–Educause (http://connect.educause.edu/term_view/Cybersecurity)
![Page 78: MS Information Assurance, CISSP, CWNA, CEH, MCSE, Security+, I-Net+, Network+, Server+, CNA, A+ erstaats@es-es.neterstaats@es-es.net ://es-es.net.](https://reader031.fdocuments.in/reader031/viewer/2022020721/56649d215503460f949f6435/html5/thumbnails/78.jpg)